Archive for the ‘Spring Security’ Category

Tracking logged in user’s using spring-security and HttpSessionListener in java web application

Thursday, February 19th, 2009

If you haven’t already, please first read my article on configuring spring security and after that the article on writing a custom AuthenticationprocessingFilter. It is imperative that you know how to do both before you continue.

We always want to know who is on our website, how many users are logged in and how many visitors are present. Not only is the information useful, it also looks good. :) I tried looking for pluggable solutions to track users but couldn’t find any. Having implemented spring security in a few web apps, I decided to see if there was an easy way to do this. (more…)

Tags: , , ,
Posted in Spring Security | 14 Comments »

Custom AuthenticationProcessingFilter for spring security to perform actions on login

Monday, February 16th, 2009

Question like this one popup on the spring security forum all the time. The question is almost always the same. The system must perform some custom action after a user logs in or out of the system. And almost always this action has to be performed on the session like setting an attribute or removing one. Sometimes user’s also want to put their own User object in the session for later use in the application. All these actions can be performed by writing a custom AuthenticationProcessingFilter and replacing the default instance on the filter chain with your implementation.

Before I show you how to write your very own filter, (more…)

Tags: , ,
Posted in Spring Security | 20 Comments »

Writing custom UserDetailsService for spring security

Wednesday, February 11th, 2009

I wish spring security would work on their documentation and tell people how easy it is to implement a custom service for loading user details. You don’t HAVE to use JDBC to do that, you can write your very own hibernate, toplink or whatever DAO to do just that. It’s important to realise that spring-security does not send your password to the database ever. Instead it loads a user’s details and then compares it’s password internally before validating the user and granting it access to internal pages. (more…)

Tags: , , , ,
Posted in Spring Security | 11 Comments »

Spring security login and logout form

Monday, February 9th, 2009

So I managed to configure spring security in my last article here but what do I do now. How do I create the login form, login.jsp for my users to authenticate from. I searched around and found a few articles but none that listed out the login page. Then I looked in the spring-security distribution (more…)

Tags: , , ,
Posted in Spring Security | 7 Comments »

Configuring spring security

Sunday, February 8th, 2009

I have written another post listing how to construct your login and logout pages to work with spring-security. It’s important that you read this post first if you’re new to spring-security.

Security in web applications is a big concern. More often than not developers miss securing a few pages here and there. These pages aren’t a huge concern till someone finds them and starts to mess with your system using them. Then the scramble to fix and re-evaluate your security starts. So, why don’t we secure ALL our pages instead of most of them? And why don’t we allow access to only those which we define and block access to everything else? This inverted model of security is what has been implemented in spring security. It’s a beautiful and powerful solution to securing web apps. Yes, i’m a spring fanboi but you’ll love spring security too once you love it.

As with anything else related to spring the learning curve on spring-security is just as steep. But once you get the hang of it, it’s easy peasy and you can use the same configuration over and over again in your web apps. It’s also worthwhile to mention that spring-security’s documentation could be a LOT better in terms of content not to mention better laid out. (more…)

Tags: , , ,
Posted in Spring Security | 12 Comments »